The Pell Center report claims that the demand for cybersecurity skills are increasing exponentially. I remember hearing that back in the dot-com days and even five years ago. I suspect that’ll never change. I found several arguments in the report are particularly bothersome. For example, they call for the creation of a nationally recognized, independent body to serve as a clearinghouse that sets professional standards and education and training requirements for cybersecurity. Is the (ISC)² – the foremost information security certification organization – a box of rocks? What else is truly needed above and beyond the CISSP code of ethics and body of knowledge? Ditto for the ISACA certifications. SANS, CompTIA, and even the U.S. government’s Department of Defense have their own proven programs as well.

I will agree with the report in that the security education and certification programs offered today are fragmented. Still, how is that any different from the fragmentation in the medical field that’s used as an example in the report? I know plenty of healthcare professionals who don’t have to meet the same requirements as those of MDs such as chiropractors and naturopathic doctors. Their services are quite well received. Information security-related training and certifications are really no different in this respect. Why does there have to be one, all-knowing, training and certification body?

What’s really interesting in the report is the reference to a “desperate shortage of people who can design secure systems, write safe computer codes and create the tools needed to prevent, detect and mitigate attacks and system failures". I’ve yet to meet a single IT or security professional who wasn’t very good at what he or she does, including all of these areas. The technical tools for proper security visibility and oversight are already available. The real problem is that of culture, ignorance, and apathy, especially among business executives who ultimately call the shots via budgets and political support.

Information security challenges are borne in implementation, management, and accountability, not mere skills that are said to be missing. Instead of the government or other standards body stepping in and “fixing” the problem with technical skills, what’s needed is an overhaul of soft skills across the IT industry. The lack of verbal communication, poor writing abilities, and failure to grow relationships within the business are what really hold information security programs back. Yet some, often those with something to gain personally, believe that we just need more regulation.

There’s not a crisis with job skills. Nor is it problematic that actual skills are hard to quantify based on education and credentials as the report alludes to. We’ve known for decades that degrees and certification don’t make the professional. It’s no different from doctors and lawyers today. Just because someone has book smarts to pass a stringent exam has very little to with how good of a doctor or lawyer they will actually be. As research has shown there are several types of intelligence, with intra-personal or “emotional” intelligence arguably being the most important, especially for IT and security professionals.

The report also states that “there is a continued lack of clearly defined roles and career paths for this increasingly-vital line of work.” Does the lack of goals and direction need to be regulated as well? Or, should we not let the cream of the crop in IT and security rise to the top of their fields based on motivation, merit, and personal accomplishment? I do agree with the report when it refers to corporate leaders who “display tendencies to treat cybersecurity as an isolated “IT problem” best left to their already overwhelmed IT departments”. Still, is that not something the free market can work out based on the decisions of business leaders? Choices have consequences. It’s not the duty of society to create a safety net for everyone anytime there’s a misstep.

One last annoyance from the Pell Center report: all the references to “cybersecurity”. I haven’t yet met anyone who can explain how “cybersecurity” differs from information security. Yet, the marketers, government bureaucrats, and those looking to offer something different can portray a new identity with this word. Certain lawmakers have been pushing for a “cybersecurity” bill for years. Many got their way when the president put in place one of his many recent executive orders, this time on “cybersecurity”. Since then, it’s as if the entire information security industry has been rebranded. And we wonder why outsiders don’t buy into what we’re selling.

Many people believe it’s the role of government to solve all of society’s problems. We’ve seen how well that has worked for many decades. I’m not against accreditation for the information security industry. It’s absolutely necessary. However, the government has no business in licensing information security professionals. The role of government is to make sure that some IT or security hack doesn't defraud another person by claiming to have such credentials without actually earning them.

Why create even more of a regulatory burden on yet another industry? I say hands off, bureaucrats. If you want to implement certification and licensing requirements for people doing work for the Federal government, knock yourselves out. Just stay away from private industry. The free market can work things out just fine if it’s left alone to do so.